More on cert serialnumbers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have been researching serial number in cert based on Jakob's comment:

"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as standalone
 numbers and as DER-encoded numbers.  Note that this is not the default in
 the openssl ca program.

- Serial numbers contain cryptographically strong random bits, currently at
 least 64 random bits, though it is best if the entire serial number looks
random from the outside. This is not implemented by the openssl ca program."

And this is supposedly from the CA/B BF?

Though Erwann responded:

"There’s no such requirement. It MUST be at most 20 octets long"

I see how for all certs other than the root (get to that later), I can control this with:

openssl rand -hex 20 > serial

then use 'openssl ca ...'

But from Kyle's comment, the first bit must be ZERO.

"I tend not to re-use keys, so I've found that putting 20 bytes (while clearing the high bit) of a digest of the SubjectPublicKeyInfo as the serial number works in that circumstance. [if you leave the high bit set, then DER mandates that it be encoded with a leading 0x00 byte, which makes it 21 bytes... which can cause problems with things built for PKIX.]"

Will that be the case with the above 'openssl rand', or is there some other step needed to zero out the first bit.

And is the openssl rand function 'safe' to use? Is it cryptographically strong?

As for the root cert created with 'openssl req ... -new -x509', it seems that a random 8 octet serial number is provided. Is there a way to boost that to 20 octects? Does it matter per Erwann's comment above?

Actually, I am trying to keep certs small, and the CAs I picture are not for millions of certs Smaller serial number size would be the preferred situation...

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux